[Logcheck-users] Problem with rules being 'ignored'

[Max Zimmermann]

Hey there, sorry to bug you,

I've ran into a little problem conscerning a logcheck-rule I just wrote.

I use logcheck and logcheck-database on Debian Etch. When logcheck
reports me something I don't want it to, I normally write a rule to
match that logentry and put it in a file called my_rules in
/etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
that rule:

Logcheck keeps reporting me that:

Security Events
=-=-=-=-=-=-=-=
Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
<220.231.197.4>: Helo command rejected: need fully-qualified hostname;
from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info> proto=ESMTP
helo=<220.231.197.4>


So I wrote this rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
[^[:space:]]+: Helo command rejected: need fully-qualified hostname;
from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
 

And to test whether it works:

uhweb64XXX:/home/max# sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep
'^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
[^[:space:]]+: Helo command rejected: need fully-qualified hostname;
from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$'

And the output works correctly:

Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
<220.231.197.4>: Helo command rejected: need fully-qualified hostname;
from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info> proto=ESMTP
helo=<220.231.197.4>
 


The problem is that STILL logcheck keeps reporting me that kind of
messages... including the particular one above. Can someone tell me what
I'm doing wrong?

Thanks a lot!!!!

Max